On Fri, Feb 27, 2004 at 07:28:59PM +0100, Marco Rommelse wrote:
> I have noticed that the != operator doesn't work as expected anymore in the
> display-filter field. I am using ethereal version 0.10.2. This has worked up
> to version 0.10.0a. So if I want to filter out ip-address 192.168.1.2 for
> instance, I would normally enter ip.addr != 192.168.1.2. This doesn't seem
> to work anymore. You can get around it by entering !(ip.addr ==
> 192.168.1.2) instead. Has anyone else seen this?
Yes, I've seen it, because that's how Ethereal is supposed to work.
I've even seen it in 0.10.0a - I just downloaded it, built it, and tried
it, and "ip.addr != XXX.XXX.XXX.XXX" matched IP packets where at least
one of the addresses (source or destination) was something other than
XXX.XXX.XXX.XXX, as it was supposed to.
That means that it *will* match, for example, packets that are from
XXX.XXX.XXX.XXX but not *to* XXX.XXX.XXX.XXX, as well as packets that
are to XXX.XXX.XXX.XXX but not *from* XXX.XXX.XXX.XXX.
That's because
1) "ip.addr != XXX.XXX.XXX.XXX" matches all packets that have an
"ip.addr" field whose value isn't XXX.XXX.XXX.XXX
and
2) an IPv4 packet has *two* "ip.addr" fields, one whose value is
the source address and one whose value is the destination
address, so that "ip.addr == XXX.XXX.XXX.XXX" will match
packets to or from XXX.XXX.XXX.XXX.
I.e., that's not a bug, that's a feature, and it's not new in 0.10.2 or
even 0.10.1. It is, perhaps, counter-intuitive, but it's not clear that
special-casing the "!=" operator (which is what having "ip.addr !=
XXX.XXX.XXX.XXX" match only packets that have *no* "ip.addr" field equal
to XXX.XXX.XXX.XXX would require) would
1) not make the implementation of display filters somewhat ugly;
2) not make the display filter model a bit ugly - what about the
other operators?
3) not make some other reasonable filter expressions not work at
all (i.e., somebody might want to find packets that have *no*
instance of some filter field equal to a certain value).
The correct way to find packets that are neither to nor from
XXX.XXX.XXX.XXX is, as you've discovered, "!(ip.addr ==
XXX.XXX.XXX.XXX)", which also matches packets that aren't IP packets at
all (as they have *no* "ip.addr" fields, so they don't have an "ip.addr"
field that's equal to XXX.XXX.XXX.XXX. If you only want IP packets that
are neither to nor from XXX.XXX.XXX.XXX, that'd be
ip && !(ip.addr == XXX.XXX.XXX.XXX)